ASP.NET Core 2.2 - Password reset not working on Azure (Invalid token)

appveyor azure entity-framework-core


I have an ASP.NET Core 2.2 application running on multiple instances on an Azure Web App; it uses EF Core 2.2 and ASP.NET Identity.

Everything works fine except the Password Reset flow where a user receives a link with token per e-mail and needs to choose a new password by clicking on that link. It works perfectly locally, but on Azure it always fails with an "Invalid Token" error.

The tokens are HTML encoded and decoded as necessary; and I have checks in place to ensure they match those on the database; URL encoding is not the issue.

I've configured DataProtection to store the keys to an Azure Blob storage, but to no avail. The keys are stored in the blob store all right, but I still get an "Invalid Token" error.

Here's my set up on Startup.cs:

public void ConfigureServices(IServiceCollection services)
    // This needs to happen before "AddMvc"
    // Code for this method shown below

    services.AddDbContext<MissDbContext>(options => options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));

    var sp = services.BuildServiceProvider();

    services.ConfigureApplicationCookie(x =>
        x.Cookie.Name = ".MISS.SharedCookie";
        x.ExpireTimeSpan = TimeSpan.FromHours(8);
        // We need to set the cookie's DataProtectionProvider to ensure it will get stored in the azure blob storage
        x.DataProtectionProvider = sp.GetService<IDataProtectionProvider>();

    services.AddIdentity<ApplicationUser, ApplicationRole>()

    services.Configure<SecurityStampValidatorOptions>(options => 
        options.ValidationInterval = TimeSpan.FromMinutes(10);
        options.OnRefreshingPrincipal = context =>
            var originalUserIdClaim = context.CurrentPrincipal.FindFirst("OriginalUserId");
            var isImpersonatingClaim = context.CurrentPrincipal.FindFirst("IsImpersonating");
            if (isImpersonatingClaim?.Value == "true" && originalUserIdClaim != null)
            return Task.FromResult(0);

     // some more initialisations here

And here is the AddDataProtection method:

/// <summary>
/// Add Data Protection so that cookies don't get invalidated when swapping slots.
/// </summary>
/// <param name="services"></param>
/// <returns></returns>
void AddDataProtecion(IServiceCollection services)
    var sasUrl = Configuration.GetValue<string>("DataProtection:SaSUrl");
    var containerName = Configuration.GetValue<string>("DataProtection:ContainerName");
    var applicationName = Configuration.GetValue<string>("DataProtection:ApplicationName");
    var blobName = Configuration.GetValue<string>("DataProtection:BlobName");
    var keyIdentifier = Configuration.GetValue<string>("DataProtection:KeyVaultIdentifier");

    if (sasUrl == null || containerName == null || applicationName == null || blobName == null)

    var storageUri = new Uri($"{sasUrl}");

    var blobClient = new CloudBlobClient(storageUri);

    var container = blobClient.GetContainerReference(containerName);

    applicationName = $"{applicationName}-{Environment.EnvironmentName}";
    blobName = $"{applicationName}-{blobName}";

        .PersistKeysToAzureBlobStorage(container, blobName);

I've also tried persisting the keys to the DbContext, but the result is the same: keys are stored, but I still get anInvalid token message when attempting a password reset, Every. Single. Time.

the Request Password Reset method

public async Task RequestPasswordReset(string emailAddress, string ip, Request httpRequest) 
    var user = await _userManager.FindByEmailAsync(emailAddress);

    var resetToken = await _userManager.GeneratePasswordResetTokenAsync(user);

    var resetRequest = new PasswordResetRequest
        CreationDate = DateTime.Now,
        ExpirationDate = DateTime.Now.AddDays(1),
        UserId = user.Id,
        Token = resetToken,
        IP = ip

    await _context.SaveChangesAsync();

    await SendPasswordResetEmail(user, resetRequest, httpRequest);

The Reset password method

Once the user requests a password reset, they receive an e-mail with a link and a token; here's how I attempt to reset the user's password after the user clicks on that link:

public async Task<IdentityResult> ResetPassword(string token, string password) 
    // NO PROBLEM HERE - The received token matches with the one in the Db
    var resetRequest = await _context.PasswordResetRequests
        .FirstOrDefaultAsync(x => x.Token == token);

    var user = await _userManager.FindByIdAsync(resetRequest.UserId);

    // PROBLEM - This method returns "Invalid Token"
    var result = await _userManager.ResetPasswordAsync(user, resetRequest.Token, password);

    if (result.Succeeded)
        await SendPasswordChangedEmail(user);

    return result;

As I state in the code comments, the token received in the request matches the one generated in the database, but ResetPasswordAsync does it's own token validation, and that fails.

Any help would still be appreciated

6/5/2019 2:49:38 PM

Popular Answer

It seams your token was generated with a different way. Could you try this ? generate new token :

var code = await UserManager.GeneratePasswordResetTokenAsync(resetRequest.UserId);

and reset password :

var resetResult = await userManager.ResetPasswordAsync(resetRequest.UserId, code, password);

the other case is incorrect HTML encoding for token:

token = HttpUtility.UrlDecode(token) ;

The next case is userManager has to be singleton (or at least tokenProvider class) for each requests.

this is link to source code

manually token processing in case different instances for token providers due to storing tokens into private variable:

private readonly Dictionary<string, IUserTwoFactorTokenProvider<TUser>> _tokenProviders =
            new Dictionary<string, IUserTwoFactorTokenProvider<TUser>>();

The next code might be implemented:

  public override async Task<bool> VerifyUserTokenAsync(TUser user, string tokenProvider, string purpose, string token)
            if (user == null)
                throw new ArgumentNullException(nameof(user));
            if (tokenProvider == null)
                throw new ArgumentNullException(nameof(tokenProvider));
//should be overriden
// if (!_tokenProviders.ContainsKey(tokenProvider))
//           {
//              throw new 
//Resources.NoTokenProvider, tokenProvider));
//          }
// Make sure the token is valid
//        var result = await _tokenProviders[tokenProvider].ValidateAsync(purpose, token, this, user);

  //          if (!result)
  //        {
  //          Logger.LogWarning(9, "VerifyUserTokenAsync() failed with //purpose: {purpose} for user {userId}.", purpose, await GetUserIdAsync(user));
       //    }
var resetRequest = await _context.PasswordResetRequests
        .FirstOrDefaultAsync(x => x.Token == token);
            if (resetRequest == null )
                return IdentityResult.Failed(ErrorDescriber.InvalidToken());

            // Make sure the token is valid
            var result = resetRequest.IsValid();

            if (!result)
                Logger.LogWarning(9, "VerifyUserTokenAsync() failed with purpose: {purpose} for user {userId}.", purpose, await GetUserIdAsync(user));
            return result;
5/28/2019 5:45:24 PM

Related Questions


Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow
Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow